Introduction

By default, Astra Traffic Collector listens on port 4317 for gRPC communication from sensors. In some environments, sensors require OTLP/HTTP communication instead, which runs on port 4318. This guide walks you through configuring Astra Traffic Collector to accept OTLP data over HTTP or HTTPS on port 4318.

Choose the option that matches your deployment:

• Option A: HTTP — recommended when the sensor and Astra Traffic Collector are on the same VM, VPC, or Kubernetes cluster

• Option B: HTTPS — required when traffic between the sensor and collector crosses an external network

Prerequisites

Before you begin, make sure the following is in place:

• Astra Traffic Collector is installed and running — either on a Linux VM or as a Kubernetes deployment

• You have access to edit config_custom.yaml in the Astra Traffic Collector installation directory

• (Option B only) TLS certificates — server.crt, server.key, and optionally ca.crt for self-signed or untrusted CAs — are available on the host.
  

Instructions

Option A: HTTP Configuration (If Astra Traffic Collector resides in same VM or VPC as that of sensor)

Step 1: Edit the config_custom.yaml

Locate the config_custom.yaml under installation directory of Astra Traffic Collector.

receivers:
  otlp:
    protocols:
      http:
        endpoint: "0.0.0.0:4318"  # HTTP receiver on port 4318

processors:
  #...existing

Step 2: Restart the Astra Traffic Collector

• If Astra Traffic Collector is installed on a Linux VM, refer here to know how to restart

• If Astra Traffic Collector is installed on Kubernetes, refer here to know how to restart

Option B: HTTPS Configuration (If communication between sensor and collector must happen via external network)

Step 1: Edit the config_custom.yaml

Locate the config_custom.yaml under installation directory of Astra Traffic Collector.

receivers:
  otlp:
    protocols:
      http:
        endpoint: "0.0.0.0:4318"  # HTTP receiver on port 4318
        tls:
          cert_file: "/etc/otelcol-contrib/server.crt"
          key_file: "/etc/otelcol-contrib/server.key"
          ca_file: "/etc/otelcol-contrib/ca.crt

Also mount the certs in docker-compose.yaml :

volumes:
  - <path_to_certificates>/<server-cert-file>:/etc/otelcol-contrib/server.crt:ro
  - <path_to_certificates>/<server-key-file>:/etc/otelcol-contrib/server.key:ro
  - <path_to_certificates>/<ca-cert-file>:/etc/otelcol-contrib/ca.crt:ro

Step 2: Restart the Astra Traffic Collector

• If Astra Traffic Collector is installed on a Linux VM, refer here to know how to restart

• If Astra Traffic Collector is installed on Kubernetes, refer here to know how to restart

Best Practices

Choose the right protocol for your deployment
Use HTTP (Option A) whenever the sensor and collector are co-located — same VM, VPC, or Kubernetes cluster. Only switch to HTTPS (Option B) when traffic must travel over an external or untrusted network. Adding TLS unnecessarily introduces certificate management overhead without a security benefit in closed networks.

Keep certificates in a dedicated directory
Store TLS certificates in a consistent, access-controlled location on the host (e.g. /etc/astra/certs/). Avoid placing them inside the installation directory or alongside config files, as these may be overwritten during upgrades.

Use CA-signed certificates in production
The ca_file field is intended for self-signed or untrusted CAs. In production environments, prefer certificates issued by a trusted CA to avoid sensor-side validation errors and reduce manual cert distribution.

Rotate certificates before expiry
TLS certificates have expiration dates. Set a reminder to renew and remount them before they expire — an expired cert will silently drop all OTLP/HTTP traffic to the collector.

Restrict port 4318 access
If running Option A, ensure port 4318 is not exposed beyond the local network or VPC. If running Option B, restrict inbound access to port 4318 to only the IPs or CIDR ranges where your sensors reside.

Validate your config before restarting
After editing config_custom.yaml, review the YAML syntax carefully before applying the restart. A malformed config will cause the collector to fail on startup and interrupt all traffic capture.